Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Singapore ISP Leaves 1,000 Routers Open to Attack

Southeast Asian telcom giant Singapore Telecommunications Limited left approximately 1,000 customer routers wide open to a potential attack via an unprotected port. The flub occurred after the region’s largest ISP conducted remote maintenance on affected routers and failed to secure equipment when the work was complete, according to NewSky Security.

“The root cause was that port forwarding was enabled by the SingTel customer service staff to troubleshoot WiFi issues for their customers and it was not disabled when the issues were resolved,” said Ankit Anubhav, principal security researcher at NewSky Security, who discovered the security lapse last week.

NewSky Security alerted the region’s Singapore Computer Emergency Response Team (SingCERT) that worked with Singapore Telecommunications Limited (SingTel) to resolve the issue.

“The ISP SingTel has disabled port forwarding to port 10,000 for the affected routers… ISP SingTel will be taking measures to ensure that port forwarding is disabled after troubleshooting has completed,” said Douglas Mun, deputy director of SingCERT at the Cyber Security Agency of Singapore.

SingTel did not respond to a Threatpost request for comment for this story. The researcher identified the impacted routers as part of Singtel’s own branded Wifi Gigabit Routers. According to NewSky, affected routers have been secured.

The open port left routers vulnerable to a number of different type attacks. “A hacked router can allow an attacker to reconfigure the router to re-route traffic, monitor the data packets, or even plant a malware,” Anubhav wrote post describing his discovery posted Monday.

He asserts that even with heightened awareness around insecure routers and IoT devices, spurred by Mirai and other similar attacks, errors like this are still too common. “On connecting through this port, we observed that one can get complete access to these devices as there was no authentication set on these devices,” Anubhav wrote. “The login feature of these devices was set to be disabled.”

That allowed researchers to use Shodan to scan for port 10,000 on the SingTel routers and login as the devices Admin. Once in, researchers said attackers would not only be able to manipulate or snoop on network traffic, but also would have easy access to devices on the compromised network.

Routers are juicy targets for hackers to plant malware and cybercriminals to perpetrate DNS hijacking of unsecured WiFi routers.

Earlier this month, Anubhav identified 5,000 Datacom routers with no Telnet password tied to a Brazilian ISP, Oi Internet. Last week, the FBI warned of malware called VPNFilter that it said had infected 500,000 routers tied to brands Linksys, MikroTik, NETGEAR and TP-Link. Also last week, Comcast patched a bug that under certain conditions leaked customer SSID names and passwords of Xfinity routers.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.